If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

Watchguard 550e and multiWAN

At my place of work, we are wanting to add some bandwidth capacity to our network that services ~200 users and half a dozen servers. We currently have 3 bonded T1's as our primary WAN link.

We have had a comcast business class broadband service installed that is 100 down 10 up link. It has shown itself to be fairly reliable in multiple tests when directly connected before the firewall (as in, we get 80ish or more download speed consistently).

We have then connected our new connection to a port on our firewall. We wanted to do some additional testing before we truly enabled multi-WAN on the firewall and let it run. So we created a firewall policy that routed HTTP traffic from a workstation internal IP to use the new external connection. This worked fine; however, now our speed tests are consistently in the 10-20 down range. We have played with different sorts of policy settings for this (HTTP policy, TCP/UDP packet filter and proxy filter), and all of them yield the same results. Obviously, 10-20 is still a decent bit more bandwidth than we had before, but we would prefer to be getting most of what we are paying for

I have noticed that our firewall consistently uses 50-60% CPU during the daytime, with consistent spikes to 80%+, but I am not familiar enough with troubleshooting firewalls to know if that is a harder consistent load then they should run. I also noticed that we seem to always sit at the maximum number of concurrent sessions that our firewall supports, but I would think that wouldn't effect speed once a connection was made.

Any suggestions on what I should do to troubleshoot this? I have reviewed the current policies in the machine, and there don't seem to be any crazy policies that might effect anything. Again, I am fairly new to firewalls, and while I understand the concepts of how they work, I don't really have a grasp of how what they do might effect speeds, etc etc.

We do something similair in some of our remote offices that only have a T1 or a bonded T1. We have a time warner business class cable circuit that we use for web traffic in our remote offices. We use ASA 5505's. I think the issue may be the max throughput on the watchguard. The ASA 5505 has a max throughput of 150mbps (or something very close) This throughput is in both directions so if all traffic was outbound we would get the max throughput on the device (or something close to it).The issue is that throughput is measured in both directions. I would check the throughput on that device. It you want to get closer to your providers SLA you may have to upgrade it. Also do you have a layer 3 switch connected to your firewall? Instead of connecting the watchguard to the firewall I would connect to the switch and use a static route to route your http traffic to the watchguard. This way your not using your firewall as a transit device which should reduce the load on the firewall.

Comment

Sorry I thought you had an additional firewall in place besides the watchguard. If your consistently getting 50-60 percent cpu spikes and some as high as 80 that is definitely an issue. Also if your hitting your max connections as well it may be worth while looking at upgrading the device. Have you gotten with Watchguard tech support? I wonder if there is an updated firmware available. Is it just the cpu that spikes or is it memory utilization as well? Are there any vpn's terminating on this device? Any kind of deep packet inspection is going to increase the load on the cpu as well. Im more familiar with cisco devices but it may be something to look at.

We are currently exploring potential replacements. I am looking hard at cisco and check point. Before we make any definite moves, I at least want to have a better understanding of what our current problem may be. I appreciate your responses!

Attached Files

Comment

Yeah some of those spikes look like they are over 80 percent at times. Is this device doing anything else like web filtering, virus scanning, spam filtering etc besides packet inspection? From what it looks like is that you need to upgrade your device. I would first give watchguard support a call just to verify that there isnt a hardware issue going on or maybe a bug in a particular firmware.